b'Risk Assessment of Major Functions Within\nUSAID/Ecuador\nReport No. 1-518-03-001-S\n\nOctober 1, 2002\n\n\n\n\n                  San Salvador, El Salvador\n\x0c             RIG/San Salvador\n\n\n\n\n             October 1, 2002\n\n             MEMORANDUM\n\n             FOR:               USAID/Ecuador Director, Lawrence J. Klassen\n\n             FROM:              RIG/San Salvador, Timothy E. Cox\n\n             SUBJECT:           Risk Assessment of Major Functions Within USAID/Ecuador\n                                (Report No. 1-518-03-001-S)\n\n             This memorandum is our report on the subject risk assessment. This is not an\n             audit report and does not contain any formal recommendations for your action.\n\n             Thank you for providing comments to the draft report. Your comments are\n             included in Appendix II of this report.\n\n             Once again, I appreciate the cooperation and courtesy extended to my staff during\n             the risk assessment.\n\n\n\nBackground   Ecuador faces a variety of development challenges. According to the fiscal year\n             2003 Budget Justification to the Congress, USAID noted that, although the\n             economy is improving, inflation and unemployment in 2001 were high at 24\n             percent and 11 percent, respectively. Furthermore, 70 percent of Ecuador\xe2\x80\x99s\n             population lives in poverty, confidence in democracy is dangerously low, and\n             narco-terrorism from Colombia increasingly threatens the northern border region.\n\n\n\n\n                                                                                                 1\n\x0c             USAID/Ecuador\xe2\x80\x99s program areas and their approximate fiscal year 2001 and 2002\n             funding levels, in millions, are presented in the following table:\n\n                                                                   FY 2001       FY 2002\n\n              Southern Border Integration                                $ 3.1      $ 2.3\n\n              Northern Border Development                                  8.0       10.0\n\n              Poverty Reduction                                            3.5        6.9\n\n              Democracy                                                    5.3        7.6\n\n              Biodiversity Conservation                                    5.0        7.4\n\n                                                                         $24.9      $34.2\n\n             The U.S. General Accounting Office (GAO) noted in Standards for Internal\n             Control in the Federal Government (November 1999) that internal controls should\n             provide reasonable assurance that agency objectives are being achieved, operations\n             are effective and efficient, and assets are safeguarded against loss. Conducting\n             risk assessments is one technique identified by the GAO to enhance internal\n             controls.\n\n             The purposes of the risk assessment were to assist the Regional Inspector General\n             in planning future audits and to identify opportunities for improvement in\n             USAID/Ecuador operations. Our scope and methodology are presented in\n             appendix I.\n\n\n\nDiscussion   In judging the risk exposure for the major functions in USAID/Ecuador, we\n             considered:\n\n             \xe2\x80\xa2   the amount of funding the individual programs received relative to the overall\n                 mission budget (see above details of the mission\xe2\x80\x99s $34.2 million fiscal year\n                 2002 program budget),\n\n             \xe2\x80\xa2   the level of U.S. interest in the program activities,\n\n             \xe2\x80\xa2   the level of involvement and/or support provided by the Government of\n                 Ecuador,\n\n             \xe2\x80\xa2   the experience of key staff members in their area of expertise as well as in\n                 Ecuador,\n\n\n                                                                                                  2\n\x0c\xe2\x80\xa2    incidences of improper administration or material weaknesses (if any) noted in\n     prior reviews and/or as reported by mission officials,\n\n\xe2\x80\xa2    management support for internal controls, and\n\n\xe2\x80\xa2    the level of risk inherently present in an activity that program or administrative\n     objectives will not be met.\n\nOur risk assessment of USAID/Ecuador covered nine functions. We judged two\nfunctions to have a \xe2\x80\x9chigh\xe2\x80\x9d risk exposure, four functions to have a \xe2\x80\x9cmoderate\xe2\x80\x9d risk\nexposure, and three to have a \xe2\x80\x9clow\xe2\x80\x9d risk exposure. These judgements are\ndiscussed in the following tables.\n\n                   Function Description                           Risk Exposure\n Southern Border Integration \xe2\x80\x93 Income generation,                   Moderate\n access to social services, natural resources\n management, and effective local governance\n\n                               Risk Assessment Factors\n\n \xe2\x80\xa2    This function has been funded at levels lower than originally planned. With\n      fiscal year 2001 and 2002 funding levels of approximately $3.1 million and\n      $2.3 million, the function received less funding than the mission\xe2\x80\x99s other\n      program areas.\n\n \xe2\x80\xa2    The function\xe2\x80\x99s activities consist of a mix of lower risk activities, such as\n      technical assistance to micro entrepreneurs, and higher risk activities, such as\n      construction of public health infrastructure.\n\n \xe2\x80\xa2    Activities are implemented through a cooperative agreement with CARE\n      International. The fiscal year 2002 funding for CARE was $2.2 million.\n      CARE has numerous sub-grantees.\n\n \xe2\x80\xa2    The managers responsible for the function\xe2\x80\x99s activities have at least 10 years\n      of experience with USAID.\n\n \xe2\x80\xa2    CARE is subject to audit under Office of Management and Budget (OMB)\n      Circular No. A-133. Additionally, mission management decided to conduct\n      its own financial review of CARE.\n\n \xe2\x80\xa2    Audits were not obtained for sub-grantees. According to mission officials,\n      sub-grantee expenditures did not reach the threshold that would require an\n      audit.\n\n\n\n                                                                                      3\n\x0cSouthern Border Integration (continued)\n\n\xe2\x80\xa2   Management monitors function activities through review of annual work\n    plans, periodic progress reports, and site visits.\n\n\n\n                  Function Description                           Risk Exposure\nNorthern Border Development \xe2\x80\x93 Improved health                        High\nconditions in vulnerable towns, improved\ninfrastructure, and strengthened civil society\n\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   With fiscal year 2001 and 2002 funding levels of approximately $8 million\n    and $10 million, the function was the most significant portion of the\n    USAID/Ecuador portfolio.\n\n\xe2\x80\xa2   Funded as part of the Andean Counter-Narcotics Initiative, the function is\n    high profile and sensitive.\n\n\xe2\x80\xa2   The function\xe2\x80\x99s activities consist of a mix of lower risk activities, such as\n    support for land titling for small farmers, and higher risk activities, such as\n    construction of roads, bridges, and irrigation systems.\n\n\xe2\x80\xa2   The manager responsible for the function\xe2\x80\x99s activities has 10 years of\n    experience with USAID.\n\n\xe2\x80\xa2   Activities are implemented through a cooperative agreement with the\n    International Organization for Migration (IOM). The fiscal year 2002\n    funding for IOM was $9.2 million. IOM is a public international\n    organization.\n\n\xe2\x80\xa2   Management monitors function activities through review of annual work\n    plans, periodic progress reports, and site visits.\n\n\n\n\n                                                                                      4\n\x0c                Function Description                              Risk Exposure\nPoverty Reduction \xe2\x80\x93 Micro-finance development and                   Moderate\nimproved policy and investment climate (macro-\neconomic issues)\n\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   With fiscal year 2001 and 2002 funding levels of approximately $3.5 million\n    and $6.9 million, the function was a significant portion of the\n    USAID/Ecuador portfolio.\n\n\xe2\x80\xa2   Micro-finance activities are well defined with solid indicators and data\n    sources.\n\n\xe2\x80\xa2   Macro-economic activities are being undertaken at a high level. Attribution\n    of progress to USAID is difficult to establish.\n\n\xe2\x80\xa2   Success of macro-economic activities is highly dependent upon political will\n    and government support.\n\n\xe2\x80\xa2   Activities are primarily technical assistance and training.\n\n\xe2\x80\xa2   Activities are implemented through contracts with Development Alternatives\n    Incorporated (DAI) and with the World Council of Credit Unions\n    (WOCCU). The fiscal year 2002 funding for DAI and for WOCCU was $4.5\n    million and $1.5 million, respectively.\n\n\xe2\x80\xa2   DAI is subject to audit by the Defense Contract Audit Agency. WOCCU is\n    subject to audit under OMB Circular No. A-133.\n\n\xe2\x80\xa2   Management monitors function activities through review of annual work\n    plans and periodic progress reports.\n\n\n\n\n                                                                                   5\n\x0c                 Function Description                          Risk Exposure\nDemocracy \xe2\x80\x93 Improved transparency and                              High\naccountability of democratic institutions, greater\ninclusiveness of democratic processes, and increased\npolicy consensus in key democratic areas\n\n                            Risk Assessment Factors\n\n\xe2\x80\xa2   With fiscal year 2001 and 2002 funding levels of approximately $5.3 million\n    and $7.6 million, the function was a significant portion of the\n    USAID/Ecuador portfolio.\n\n\xe2\x80\xa2   The function\xe2\x80\x99s activities are being implemented in a difficult environment.\n    Despite having been a democracy for over 20 years, Ecuador has not\n    institutionalized that form of government. Public confidence in democracy is\n    low.\n\n\xe2\x80\xa2   There may be a lack of political will for reform within government\n    institutions in some areas.\n\n\xe2\x80\xa2   Activities are implemented through a contract with Associates in Rural\n    Development (ARD), through a cooperative agreement with the Esquel\n    Foundation, and through several others including sub-grantees. The fiscal\n    year 2002 funding for ARD and for the Esquel Foundation was $3.3 million\n    and $1.5 million, respectively.\n\n\xe2\x80\xa2   The managers responsible for the function\xe2\x80\x99s activities have at least 10 years\n    of experience with USAID.\n\n\xe2\x80\xa2   Staffing constraints have hampered effectiveness. Additional staffing is\n    planned.\n\n\xe2\x80\xa2   ARD is subject to audit by the Defense Contract Audit Agency. A local\n    public accounting firm audits the Esquel Foundation.\n\n\xe2\x80\xa2   Management plans to review the financial and administrative capacity of\n    some sub-grantees.\n\n\xe2\x80\xa2   Management monitors function activities through review of annual work\n    plans, periodic progress reports, and site visits.\n\n\n\n\n                                                                                    6\n\x0c                 Function Description                            Risk Exposure\nBiodiversity Conservation \xe2\x80\x93 Protection of Quito\xe2\x80\x99s                  Moderate\nwatershed, conservation of the Galapagos Islands, and\nprotection of habitats in the northern border region\n\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   With fiscal year 2001 and 2002 funding levels of approximately $5.0 million\n    and $7.4 million, the function was a significant portion of the\n    USAID/Ecuador portfolio.\n\n\xe2\x80\xa2   Program activities are in a state of transition. Most current activities will be\n    terminating in 2003.\n\n\xe2\x80\xa2   Commercial interests seeking greater access to tuna fishing have opposed\n    activities in the Galapagos Island Marine Reserve.\n\n\xe2\x80\xa2   Activities are implemented through cooperative agreements with CARE\n    International, The Nature Conservancy (TNC), and the Charles Darwin\n    Foundation. The fiscal year 2002 funding for CARE, TNC, and the Charles\n    Darwin Foundation was (in thousands) approximately $518, $875, and $250,\n    respectively.\n\n\xe2\x80\xa2   Other activities are implemented under interagency agreements with the U.S.\n    Department of Interior (DOI). Fiscal year 2002 funding for the DOI was\n    $2.1 million.\n\n\xe2\x80\xa2   Fiscal year 2002 purchase orders, grants, and contracts in excess of $2.9\n    million are pending award.\n\n\xe2\x80\xa2   CARE and TNC are subject to audit under OMB Circular No. A-133. A\n    local public accounting firm audits the Charles Darwin Foundation.\n\n\xe2\x80\xa2   Managers responsible for the function\xe2\x80\x99s activities have at least 10 years of\n    experience with USAID.\n\n\xe2\x80\xa2   Management monitors function activities through review of annual work\n    plans, periodic progress reports, and site visits.\n\n\n\n\n                                                                                       7\n\x0c                 Function Description                          Risk Exposure\nContracting Office \xe2\x80\x93 Contract negotiation, contract                 Low\ndrafting, and contract management services\n\n                            Risk Assessment Factors\n\n\xe2\x80\xa2   USAID/Ecuador does not have a U. S. Direct Hire Contracting Officer. The\n    Regional Contracting Officer in Lima, Peru supports the mission.\n\n\xe2\x80\xa2   The Contracting Office staff member, a contracting specialist, has 13 years\n    of experience with USAID.\n\n\xe2\x80\xa2   Contracting Office staff is a member of the strategic and special objective\n    teams responsible for implementing functions.\n\n\xe2\x80\xa2   The contracting specialist makes periodic site visits and performs analyses of\n    financial data submitted by USAID partners.\n\n\xe2\x80\xa2   A procurement plan has been prepared and is reviewed regularly.\n\n\n\n              Function Description                             Risk Exposure\nProgram Office \xe2\x80\x93 Coordinates budget and annual                      Low\nreporting\n\n                            Risk Assessment Factors\n\n\xe2\x80\xa2   Operations are structured with oversight from USAID/Washington and\n    mission management.\n\n\xe2\x80\xa2   The manager responsible for the office\xe2\x80\x99s activities has 15 years of experience\n    with USAID. However, management is in a state of transition. A\n    replacement office chief has been assigned to post.\n\n\xe2\x80\xa2   Office personnel are members of the strategic and special objective teams\n    responsible for implementing functions.\n\n\n\n\n                                                                                     8\n\x0c                 Function Description                         Risk Exposure\nExecutive Office \xe2\x80\x93 General services, information                Moderate\nsystems, personnel, procurement, maintenance, motor\npool, and property management\n\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   We judged the function to have a high level of inherent risk due to the high\n    number of regulations and procedures that must be followed in performing\n    functions.\n\n\xe2\x80\xa2   USAID/Ecuador does not have a U.S. Direct Hire Executive Officer. The\n    mission is supported by the Regional Executive Officer in Lima, Peru.\n\n\xe2\x80\xa2   The Regional Executive Officer is authorized to approve procurements and\n    periodically visits USAID/Ecuador.\n\n\xe2\x80\xa2   Local hire Executive Office staff have between 7 and 22 years of experience\n    with USAID.\n\n\xe2\x80\xa2   The Executive Office in Ecuador has a customer service plan that\n    incorporates performance targets.\n\n\xe2\x80\xa2   Draft information systems contingency and security plans have been\n    developed.\n\n\xe2\x80\xa2   Inventory is counted at least annually.\n\n\xe2\x80\xa2   Vehicle usage reports are prepared monthly.\n\n\n              Function Description                            Risk Exposure\nFinancial Management Office \xe2\x80\x93 Accounting,                          Low\nvoucher payment, and financial analysis\n\n                             Risk Assessment Factors\n\n\xe2\x80\xa2   USAID/Ecuador is not an accounting station. The mission does not have a\n    U. S. Direct Hire Controller. The Financial Management Office in Lima,\n    Peru supports the mission.\n\n\xe2\x80\xa2   The Deputy Controller in Lima is authorized to certify vouchers and\n    periodically visits USAID/Ecuador.\n\n\n\n                                                                                   9\n\x0c Financial Management Office (continued)\n\n \xe2\x80\xa2   Local hire Financial Management Office staff members have between 2 and\n     18 years of experience with USAID.\n\n \xe2\x80\xa2   Office personnel are members of the strategic and special objective teams\n     responsible for implementing functions.\n\n \xe2\x80\xa2   Operations are structured, documented, and periodically reviewed.\n\n\nDuring the course of the risk assessment, we noted a number of formal and\ninformal procedures that were incorporated by USAID/Ecuador to manage its\nprograms. We are making, based on our conversations and limited review of\nmission documentation, the following suggestions for mission management to\nconsider. These are not formal audit recommendations. The suggestions do not\nnecessarily represent deficiencies but involve possible improvements or\nenhancements to activities already in process.\n\n\xe2\x80\xa2    Although not required by policy, USAID/Ecuador does not document formal\n     cost/benefit analyses of potential development activities before they are\n     selected for implementation. Enhancement to the new activity selection\n     process could be attained through documenting the costs and benefits of\n     competing activities before determining which to implement.\n\n\xe2\x80\xa2    USAID policy requires non-U.S. recipients who spend more than $300,000 in\n     a year to obtain a financial audit. In some cases, these recipients may receive\n     less than the threshold in a year but over several years may still spend a\n     significant amount. Likewise, an audit may be justified based on non-\n     financial implementation risks facing the recipient. USAID/Ecuador could\n     consider whether sub-grantees expending less than $300,000 per year merit\n     being audited based on the cumulative amount of multi-year awards or other\n     risk factors.\n\n\xe2\x80\xa2    At times, the initially planned funding levels are reduced over the life of an\n     activity. The mission could, in planning activities, assess the likelihood of\n     funding shortfalls in the implementation design. By anticipating different\n     funding levels, USAID/Ecuador could incorporate contingencies into the\n     activity design to minimize the impact of funding cuts on the effectiveness of\n     planned activities.\n\n\xe2\x80\xa2    Site visits are an integral part of USAID/Ecuador\xe2\x80\x99s monitoring plan.\n     Although activity managers make frequent field visits, they do not select sites\n\n\n\n                                                                                  10\n\x0c                   based on a field visit strategy. USAID/Ecuador could enhance the\n                   effectiveness of its monitoring and data verification activities by documenting\n                   field visit strategies.\n\n             \xe2\x80\xa2     Due to its relatively small size, the mission did not have a proper segregation\n                   of duties over the inventory, procurement, receiving, and warehousing\n                   functions. Management should ensure that mitigating controls are in place to\n                   compensate for the lack of segregation of duties.\n\n             \xe2\x80\xa2     USAID/Ecuador analyzes the month-to-month fluctuations in vehicle\n                   performance and operating cost. The mission could benefit by performing a\n                   12-month trend analysis of vehicle performance and operating cost.\n\n             \xe2\x80\xa2     One of the activities at the mission is being implemented by the International\n                   Organization for Migration (IOM). Often with activities implemented by\n                   public international organizations, donors do not have audit rights. In this\n                   instance, since USAID is the sole donor, the agreement grants audit\n                   privileges. The mission should consider contracting for a financial audit of\n                   the $17.1 million IOM activity.\n\n             \xe2\x80\xa2     The Executive Office has created a customer service plan that includes\n                   performance measures. However, the office does not collect statistics to\n                   measure performance against those targets. The office should consider\n                   collecting data to measure performance.\n\n             \xe2\x80\xa2     Draft information systems security and disaster recovery/contingency plans\n                   have been completed. However, sections of the plan are presented at a\n                   general level. The mission could improve the usefulness of the plans by\n                   including detailed recovery steps, a testing strategy and a testing schedule in\n                   the information systems contingency plan.\n\n\n\nConclusion   This review assigned a risk exposure judgement of high, moderate, or low for each\n             major function. The risk assignments are summarized in the table below.\n\n                                                                     Risk Exposure\n                          Function Description                  High   Moderate    Low\n                 Southern Border Integration\n                                                                             9\n                 Northern Border Development\n                                                                 9\n                 Poverty Reduction\n                                                                             9\n\n                                                                                                 11\n\x0c                                                       Risk Exposure\n          Function Description                  High     Moderate    Low\n  Democracy\n                                                 9\n  Biodiversity Conservation\n                                                             9\n  Contracting Office\n                                                                         9\n  Program Office\n                                                                         9\n  Executive Office\n                                                             9\n  Financial Management Office\n                                                                         9\nA higher risk exposure judgement implies that the program objectives for a\nparticular function are more vulnerable to not being achieved or to experiencing\nirregularities. Appendix I describes in detail our risk assessment\xe2\x80\x99s scope and\nmethodology.\n\n\n\n\n                                                                                   12\n\x0c                                                                                      Appendix I\n\n\nScope and     Scope\nMethodology\n              The Regional Inspector General/San Salvador conducted a risk assessment of\n              major functions within USAID/Ecuador. The risk assessment considered\n              operations principally for fiscal year 2002. The risk assessment was conducted at\n              USAID/Ecuador from June 3 \xe2\x80\x93 7, 2002.\n\n              Methodology\n\n              We interviewed officials as well as reviewed related documentation of major\n              functions performed by USAID/Ecuador. These documents covered background,\n              organization, management, budget, staffing responsibilities, and prior reviews.\n              Our review of mission documentation was isolated and judgmental in nature and\n              was conducted principally to confirm our discussions with management.\n\n              We identified USAID/Ecuador\xe2\x80\x99s major functions based on input from the Mission\n              Director, discussions with mission staff, and review of mission reports. We judged\n              risk exposure (e.g., the likelihood of significant abuse, illegal acts, and/or misuse\n              of resources, failure to achieve program objectives, and noncompliance with laws,\n              regulations and management policies) for those major functions. We assessed\n              overall risk exposure as high, moderate, or low. A higher risk exposure simply\n              indicates that the particular function is more vulnerable to not achieving its\n              program objectives or to experiencing irregularities. We considered the following\n              key steps in assessing risk exposure:\n\n              1. significance and sensitivity;\n\n              2. susceptibility (inherent risk) of failure to attain program goals, noncompliance\n                 with laws and regulations, inaccurate reporting, or illegal or inappropriate use\n                 of assets or resources;\n\n              3. "red flags\xe2\x80\x9d such as a history of improper administration or material weaknesses\n                 identified in prior audits/internal control assessments, poorly defined and\n                 documented internal control procedures, or high rate of personnel turnover;\n\n              4. management support and the control environment;\n\n              5. competence and adequacy of number of personnel;\n\n              6. relevant internal controls; and\n\n              7. what was already known about internal control effectiveness.\n\n\n\n\n                                                                                                13\n\x0c                                                                         Appendix I\n\nThese risk exposure assessments were not sufficient to make definitive\ndeterminations of the effectiveness of internal controls for major functions. As\npart of the scope of our review, we (a) identified, understood, and documented\n(only as necessary) relevant internal controls and (b) determined what was already\nknown about the effectiveness of internal controls.\n\nOur risk assessment has the following limitations.\n\n\xe2\x80\xa2   First, we assessed risk exposure at the major function level only.\n\n\xe2\x80\xa2   Second, we only assessed risk exposure. Our assessments were not sufficient\n    to make definitive determinations of the effectiveness of internal controls for\n    major functions. Consequently, we did not (a) assess the adequacy of internal\n    control design, (b) determine if controls were properly implemented, nor (c)\n    determine if transactions were properly documented.\n\n\xe2\x80\xa2   Third, higher risk exposure assessments are not definitive indicators that\n    program objectives are not being achieved or that irregularities are occurring.\n    A higher risk exposure simply implies that the particular function is more\n    vulnerable to such events.\n\n\xe2\x80\xa2   Fourth, risk exposure assessments, in isolation, are not an indicator of\n    management capability due to the fact that the assessments consider both\n    internal and external factors, some being outside the span of control of\n    management.\n\n\xe2\x80\xa2   Fifth, comparison of risk exposure assessments between organizational units is\n    of limited usefulness due to the fact that the assessments consider both internal\n    and external factors, some being outside the span of control of management.\n\n\n\n\n                                                                                   14\n\x0c                                                                                        Appendix II\n\n\nManagement\nComments\n\n          2/11/03\n\n          Lars Klassen, USAID/Ecuador Director\n\n          Risk Assessment of Major Functions Within USAID/Ecuador (Draft Report)\n\n          Tim Cox, RIG/San Salvador\n\n          Below are the Mission\xe2\x80\x99s comments in response to the suggestions stated in the subject\n          draft report:\n\n       1. Document formal cost/benefit analysis of potential development activities. The Mission\n          appreciates RIG\xe2\x80\x99s suggestion that the Mission document formal cost/benefit analysis. If\n          we were to undertake cost/benefit analysis on future projects, it would easily complicate\n          analysis work we perform regarding factors such as sustainability, environmental,\n          political, and technical considerations. For example, under our Northern Border program\n          a range of criteria are already being designed and used which take into account many\n          selection criteria to give an overall picture. One such element is economic feasibility\n          which addresses cost. However, undertaking such a suggestion Mission-wide has other\n          broader implications.\n\n          The current Agency Automated Directives System (ADS), upon which Agency design\n          documentation is outlined, specifies that financial analysis is an optional analysis that an\n          operating unit may undertake during the preparation of its strategy. It also includes non-\n          mandatory guidance on the design of activities wherein documentation flexibility is the\n          key. The ten steps in activity design do not require a cost analysis nor is there reference\n          to same. If you believe RIG\xe2\x80\x99s suggestion on cost/benefit analysis has broader application\n          to Agency operations, we would recommend that RIG contact PPC/PC in AIDW to\n          discuss whether such a recommendation should change Agency policy. We are sure you\n          can appreciate that we would not want to commit to implementing such a suggestion\n          across the board if it is not required.\n\n       2. Assess whether sub-grantees expending less than $300,000 per year merit being audited.\n          The assessment will be done every year when the audit inventory/plan is being prepared.\n\n       3. In planning activities assess the likelihood of funding shortfalls in the implementation\n          design \xe2\x80\x93 be proactive rather than reactive. Our long term future program funding levels\n          are uncertain. We are currently beginning to conceive the length and size of a possible\n          future program over the next year. In this stage, there are a range of interrelated issues\n          that would affect funding scenarios (GDA, trade, conflict prevention, ESF and INC\n\n\n                                                                                                   15\n\x0c                                                                                  Appendix I\n\n   levels, etc.) and the timing of the new strategy. Parameters for our future program have\n   also yet to be set. Over the coming two years, we will be working with a newly elected\n   GOE, and of course a new Embassy Front Office in securing mutual agreement with\n   AID/W on future overall planning levels for the program. Given all of the foregoing\n   variables and unknowns, then, we trust that you understand our concerns on this\n   recommendation; we are unable to assess what short falls there might be or when they\n   might occur, at this point.\n\n4. Document field visit strategies. The Mission will prepare a document where a\n   methodology will be established to document field visit strategies. Also the document\n   will contain a methodology to document the validation of indicators.\n\n5. Mitigating controls to compensate the lack of segregation of duties. The Executive and\n   Controllers Offices will evaluate this and will document the mitigating controls that are\n   in place or will be implemented in the future.\n\n6. Perform a 12-month analysis of vehicle gas mileage on the mission\xe2\x80\x99s vehicles to\n   determine if the mileage is reasonable. EXO will prepare a 12 month trend analysis of\n   vehicle performance and cost.\n\n7. Contract for a financial audit of the International Organization for Migrations (IOM). A\n   two year audit (2002-2003) is planned, and is expected to start the second quarter of\n   FY03.\n\n8. The Executive Office should consider collecting data to measure performance. The\n   Executive Office will begin to collect data to track performance measures with respect to\n   its operations.\n\n9. Include detailed recovery steps, a testing strategy and a testing schedule in the\n   information systems contingency plans. A recovery and contingency plan has been\n   developed. It was tested during a real situation and worked well. The final version of the\n   plan will be ready after the ISSO clearance.\n\n   Finally it is important to note that the Mission found this exercise very useful to identify\n   areas of high, medium and low risk. The Mission will take the necessary measures to\n   reinforce or implement new controls in all areas identified as having a \xe2\x80\x9chigh\xe2\x80\x9d risk\n   exposure. Also, the Mission will try to improve all controls related to areas of\n   \xe2\x80\x9cmoderate\xe2\x80\x9d and \xe2\x80\x9clow\xe2\x80\x9d risk exposure.\n\n\n   cc. Steve Bernstein, RIG/San Salvador\n       John Vernon, RIG/San Salvador\n\n\n\n\n                                                                                            16\n\x0c'